Regulations on the accreditation of testing laboratories and bodies for certification of information security tools according to information security requirements.

Regulations on the accreditation of testing laboratories and bodies for certification of information security tools according to information security requirements.

APPROVED
by the Chairman of the State
 Technical Commission under the
President of the Russian Federation
 Yu. Yashin
 » November 25, 1994

REGULATION
on the accreditation of testing laboratories and bodies for certification of information protection tools
according to information security requirements

1. General Provisions
2. Accreditation Procedure
3. Control and supervision of the activities of accredited testing laboratories and certification bodies
4. Cancellation of accreditation
Appendix 1
Appendix 2
Appendix 3
Appendix 4
Appendix 5
Appendix 6
Appendix 7
Appendix 8

 1. GENERAL PROVISIONS

1.1. These Regulations establish the basic principles of accreditation of legal entities — enterprises, organizations and institutions (hereinafter referred to as «enterprises») as testing laboratories and bodies for certification of information security tools in the system of certification of information security tools according to information security requirements.

1.2. The Regulation has been developed in accordance with the Law of the Russian Federation «On Certification of Products and Services», the Decree of the Government of the Russian Federation «On Certification of Information Security Tools»,

based on the «GOST R Certification System», «Rules for Conducting Certification in the Russian Federation», «Regulations on Certification of Information Security Tools According to Information Security Requirements», «Regulations on State Licensing of Activities in the Field of Information Security».

1.3. Accreditation of an enterprise as a certification body for information security tools according to information security requirements (hereinafter referred to as the certification body) is an official recognition of its technical competence and independence from developers, manufacturers (suppliers) and customers (consumers) of tested information security tools for organizing and conducting tests in accordance with the requirements of standards or other regulatory documents.

Accreditation of an enterprise as a testing laboratory may be an official recognition only of its technical competence in conducting tests. At the same time, tests for certification purposes may be carried out only under the supervision of representatives of the certification body for the relevant information security tools.

Accreditation is carried out only if the specified bodies and laboratories have licenses for the relevant types of activities.

1.4. When an enterprise is accredited, it is issued an Accreditation Certificate (Appendices 1, 2) indicating the scope of accreditation. The validity period of the Accreditation Certificate must not exceed five years.

1.5. The accreditation requirements established by this document are common to all types of testing of information security tools. If necessary, they can be supplemented by other requirements based on the specifics of the activities of a particular enterprise.

1.6. Accreditation of enterprises is carried out by the State Technical Commission under the President of the Russian Federation (State Technical Commission of Russia).

2. PROCEDURE FOR ACCREDITATION OF AN ENTERPRISE

2.1. Accreditation includes the following stages:

• review of documents submitted by the enterprise;
• inspection of the enterprise by a commission determined by the State Technical Commission of Russia;
• making a decision on accreditation based on the inspection results;
• registration, execution and issuance of the Accreditation Certificate.

2.2. An enterprise applying for accreditation must submit an application for accreditation (Appendices 3, 4). Along with the application, a draft Regulation on the certification body or testing

laboratories with the declared scope of accreditation (Appendix 5). In case of accreditation of an enterprise as a testing laboratory for information security tools, the application shall be additionally accompanied by a passport of the testing laboratory (Appendix 6) and a questionnaire (Appendix 7).

2.3. After reviewing the submitted materials, a commission is created to inspect the enterprise. The composition of the commission is formed from specialists of the territorial bodies of the State Technical Commission of Russia, industry, regional information protection centers, other organizations and enterprises competent in the field of information protection, and is approved by the head of the State Technical Commission of Russia.

2.4. The inspection is conducted to ensure that the actual state of the enterprise corresponds to the submitted documents and to ensure that it is able to perform the declared functions. Based on the inspection results, the commission draws up a report (in the case of a testing laboratory for information security tools, the report form is provided in Appendix 8), which is signed by the commission members and submitted for review to the head of the accredited enterprise.

2.5. The decision to accredit an enterprise is made after reviewing all the information received about the state of the enterprise and its readiness for accreditation. The accredited enterprise is entered

by the State Technical Commission of Russia into the state register of the system and is issued an Accreditation Certificate.

2.6. Six months before the expiration of the Accreditation Certificate, an enterprise intending to extend its validity shall submit an application in accordance with paragraph 2.2 of this document.

The procedure for re-accreditation is established depending on the results of control and can be carried out according to the full or shortened procedure established in each specific case.

2.7. Accreditation in an additional area.

2.7.1. A certification body or testing laboratory applying for an extension of its accreditation area shall submit an application for accreditation in an additional area (Appendices 3, 4).

The following documents shall be attached to the application:

information on the additional area of ​​accreditation;

additions to the Passport (Appendix 5).

2.7.2. Accreditation may be carried out according to a full or abbreviated program established in each specific case.

3. CONTROL AND SUPERVISION OF THE ACTIVITIES OF ACCREDITED TESTING LABORATORIES AND CERTIFICATION BODIES

3.1. Control may be carried out by:

• periodic inspections;
• provision by the enterprise of regular information on the quality of the tests it carries out, on the results of periodic internal audits of the quality assurance system of tests, on customer complaints, etc.;
• any other control actions that can provide confidence that the enterprise, during the validity period of the Accreditation Certificate, complies with the requirements imposed on it during accreditation.

3.2. The control conditions for each enterprise are determined in the relevant Regulation on the certification body (testing laboratory) when making a decision on its accreditation.

3.3. The costs of carrying out all types of work on the accreditation of enterprises as testing laboratories and certification bodies, on the implementation of control and supervision over their activities shall be paid by applicants in the manner established by the State Technical Commission of Russia in agreement with the Ministry of Finance of the Russian Federation.

4. CANCELLATION OF ACCREDITATION OF ENTERPRISES AS TESTING LABORATORIES AND CERTIFICATION BODIES

4.1. Accreditation of an enterprise may be cancelled early in the following cases:

• non-compliance of the enterprise with the requirements imposed on accredited enterprises;
• an independent decision of an accredited enterprise to terminate its accreditation early.

An enterprise may appeal a decision on any accreditation issues to the State Arbitration Court of Russia within 15 days.

HEAD OF THE DEPARTMENT OF THE STATE TECHNICAL

COMMISSION UNDER THE PRESIDENT OF THE RUSSIAN FEDERATION

V. Virkovsky

» November 24, 1994

Appendix 1

 STATE TECHNICAL COMMISSION

 UNDER THE PRESIDENT OF THE RUSSIAN FEDERATION

 ————————————————&# 8212;—-

 CERTIFICATION SYSTEM OF INFORMATION SECURITY MEANS

 INFORMATION SECURITY REQUIREMENTS

 CERTIFICATE OF ACCREDITATION OF THE CERTIFICATION BODY

Valid until «____»__________19__.

Registered in the state register of the certification system

information security means in accordance with information security requirements

«____» __________ 19__. N ______________

THE STATE TECHNICAL COMMISSION OF RUSSIA CERTIFIES THAT ______________________________

 1name of the enterprise —

______________________________________________________________________

 of the certification body, address, OKPO code

ACCREDITED BY THE STATE TECHNICAL COMMISSION UNDER THE PRESIDENT OF THE RUSSIAN FEDERATION IN THE INFORMATION SECURITY MEANS CERTIFICATION SYSTEM ACCORDING TO INFORMATION SECURITY REQUIREMENTS FOR CARRYING OUT WORK ON CERTIFICATION.

The scope of accreditation is defined in the appendix to this Certificate.

Head of the State Technical Commission of Russia

Place

emblem of the _____________________________________________

 date, signature, last name, initials

Appendix 2

 STATE TECHNICAL COMMISSION

 UNDER THE PRESIDENT OF THE RUSSIAN FEDERATION

 ————————————————-

 CERTIFICATION SYSTEM OF INFORMATION SECURITY MEANS

ACCORDING TO INFORMATION SECURITY REQUIREMENTS

 ACCREDITATION CERTIFICATE TESTING LABORATORY

Valid until «____»__________19__.

Registered in the state register of the certification system

information protection tools according to information security requirements

«____» __________ 19__g. N ______________

THE STATE TECHNICAL COMMISSION OF RUSSIA CERTIFIES THAT ______________________________

 1name of the enterprise —

______________________________________________________________________

 testing laboratory, address, OKPO code

ACCREDITED BY THE STATE TECHNICAL COMMISSION UNDER THE PRESIDENT

OF THE RUSSIAN FEDERATION IN THE INFORMATION SECURITY MEANS CERTIFICATION SYSTEM

ACCORDING TO INFORMATION SECURITY REQUIREMENTS FOR CONDUCTING CERTIFICATION

TESTS OF INFORMATION SECURITY MEANS.

The scope of accreditation is defined in the appendix to this Certificate.

Head of the State Technical Commission of Russia

Place

of the seal ____________________ ______________________

date, signature Surname, Initials

Appendix 3

 CERTIFICATION SYSTEM 0  2INFORMATION SECURITY MEANS

 INFORMATION SECURITY REQUIREMENTS

To the Head of the Department

State Technical Commission of Russia

                         Z A J V K A

 for accreditation of a certification body

1. ____________________________________ requests that it

(name of applicant company)

be accredited as a certification body___________________

_________________________________________________________________

2. Address, telephone, telex, fax, bank account number ____

_________________________________________________________________

3. Last name, first name, patronymic name of the manager _____________________

4. Last name, first name, patronymic name, telephone number of the employee responsible

for communication _____________________________________________________

5. Name of products (objects) and indicators subject

certification (enlarged)

6. The applicant undertakes to:

a) meet the requirements imposed on the certification body;

b) pay, in accordance with the concluded agreement, all expenses related to the accreditation work, regardless of their results.

Appendices:

Drafts of the «Regulations on the Certification Body» and other documents required for accreditation:

__________________________________________________________________________

__________________________________________________________________________

_______________________________________________________________________

Head ________________________________________________

Place     (name of the applicant company)

 Stamp Certificate

Seals   _____________ _________________________________________

  (signature) (last name, first name, patronymic)

» » _________ 19__.

Chief accountant ______________________________________________

 1(name of applicant company)

_____________ _____________________________________________

 (signature) (last name, first name, patronymic)

» » _________ 19__.

.

Appendix 4

 CERTIFICATION SYSTEM OF INFORMATION SECURITY MEANS

 INFORMATION SECURITY REQUIREMENTS

To the First Deputy

Chairman of the State Technical Commission

Russia

 Z A I V K A

I request to accredit _____________________________________________

 (laboratory name)

in the Certification System of Information Security Tools for Information Security Requirements.

Testing laboratory _______________________________________

 (name)

undertakes to:

a) meet the laboratory's requirements for testing protective equipment

information;

b) pay all costs associated with the work on accre-

ditation, regardless of its results.

Appendices: 1. Draft Regulation on the testing laboratory.

2. Passport of the testing laboratory.

Head _______________________________________________

 Place     (name of the applicant enterprise)

 Armorial _____________ __________________________________

 seals    (signature) (surname, name, patronymic)

» » _________ 19__

Chief accountant _______________________________________________

 (name of the applicant company)

_____________ __________________________________

(signature) (surname, name, patronymic)

» » _________ 19__.

Appendix 5

Appendix to the Accreditation Certificate

dated » «_____________19__. N _____

 ACCREDITATION AREA

testing laboratory________________________________________________________

 (organization name)

for certification of information security tools according to information security requirements,

operating in the certification system of the State Technical Commission of Russia

Head of _______________________________________________

(name of applicant company)

_____________ __________________________________

 (signature) (last name, first name, patronymic)

» » _________ 19__

.

Appendix 6

_______________________________________

(name of organization, enterprise)

 U T V E R J D A Y

Head of ________________________

 (name

_____________________________________

 of the testing laboratory)

_________ _________________________

 (signature)     (last name, initials)

«____» ______________ 19__

M.P.

P A S P O R T

testing laboratory

_________________________________________________

(name of testing laboratory)

1. Testing laboratory _____________________________

(name,

_________________________________________________________________

 mailing address)

2. Head of the laboratory ________________________________

 (position,

_________________________________________________________________

 last name, first name, patronymic, phone)

3. The organization (enterprise) that includes the testing laboratory _____________________________________

(name,

_________________________________________________________________

 mailing address)

4. The head of the organization (enterprise) __________________

 (job title,

_________________________________________________________________

 last name, first name, patronymic, telephone)

The following data must be provided in the testing laboratory passport:

1. The nomenclature of the tested products, indicating the OKP code and regulatory documentation for it.

2. Types of tests performed with indication of regulatory documents on test methods.

3. Equipment with test equipment (TE) with indication of data:

• name of the product tested;
• name of tests and determined characteristics (parameters)
• name of the equipment, type (brand), factory and inventory number;
• manufacturer (firm);
• main technical characteristics;
• year of commissioning;
• depreciation rate;
• date and number of the equipment certification document, frequency.

Data is filled in by sections:

— Serially produced IO for general industrial use.

— Serially produced IO for industry use.

— Non-standardized IO of our own developments.

— Mobile (transportable) measuring instruments.

— Unique IO.

— Test facilities.

4. Equipment of measuring instruments for testing products (objects), indicating the data:

• name of the characteristics to be determined and the parameters to be measured;
• name of measuring instrument, type (brand), factory and inventory number;
• manufacturer (firm);
• main technical characteristics (measurement range, error);
• year of commissioning;
• date and number of the measuring instrument inspection report, frequency;
• depreciation rate (%).

Information is presented by groups:

— serially produced measuring instruments for general industrial use;

— serially produced measuring instruments for industry use;

— Non-standardized and special-purpose measuring instruments intended for measurements in a given center (laboratory) or manufactured in single copies.

5. Equipment of measuring instruments for certification of measuring instruments, indicating the following information:

— name of measuring instrument;

— name of document on methods of certification of measuring instruments;

— range and accuracy of measurements;

— measuring instrument name, type (brand);

— manufacturer (firm), factory and inventory

number;

— technical specifications;

— year of commissioning;

— date and number of inspection protocol, frequency;

— additional information.

The information is presented for the following groups:

— Serially produced measuring instruments for general industrial use.

— Serially produced measuring instruments for industry use.

— Non-standardized measuring instruments and special-purpose measuring instruments.

6. Availability of standard samples for analytical

control, indicating the data:

— purpose of the standard samples used (calibration of devices, control of the correctness of measurement results, certification of samples of other categories);

— designation and name of the regulatory documents that establish the use of standard samples;

— name and number of the sample;

— approved by whom and when (approval level — state, industry, enterprise);

— certified characteristics;

— error in establishing certified characteristics;

— expiration date;

— degree of security;

— availability of certificates.

7. List of regulatory documents (RD) establishing requirements for the products being tested and for their testing methods, indicating:

— RD designation;

— RD name;

— by whom and when the document was approved;

— date of entry into force;

— document validity period.

8. Personnel list indicating:

• last name, first name, patronymic;
• job title;
• education;
• types of testing performed;
• date and number of the certification protocol, frequency;
• employees of other departments involved in the testing are indicated in the note.

9. Condition of production facilities, indicating the data:

• purpose of facilities (including types of tests performed);
• special or adapted premises;
• area;
• temperature and humidity;
• illumination at workplaces;
• gas contamination level;
• noise level;
• interference level;
• availability of special equipment (ventilation, interference protection, etc.);
• availability of shielded rooms and anechoic chambers, their characteristics;
• convenience of delivery of product samples for testing;
• conditions for acceptance and storage of samples.

Appendix 7

 A N K E T A

with data on the status of the testing laboratory.

1. Testing laboratory applying for accreditation:

Name:

Address:

Phone:

Fax:

2. The enterprise to which the testing laboratory is subordinate:

Name:

Address:

Phone:

Fax:

3. The person responsible for this questionnaire:

Last name, first name, patronymic:

Position:

Phone:

Fax:

4. Person responsible for communication with the State Technical Commission of Russia:

Last name, first name, patronymic:

Position:

Phone:

Fax:

5. Ministry (department):

6. Management team and structure:

6.1. Names and positions of the responsible managers of the testing laboratory and the enterprise to which it is subordinate:

6.2. The person responsible for the quality assurance system of the testing laboratory:

6.3. The person responsible for communication with other organizations and his assistant:

6.4. Departments submitted for accreditation:

Structural diagram:

7. Employees:

7.1. Total number of employees:

7.2. Total number of qualified employees in the proposed scope of accreditation:

8. Equipment:

List of main testing equipment:

9. Services:

9.1. List of services with indication of the limits of each service and technical conditions for testing:

9.2. All types of testing are performed independently:

10. Other information:

10.1. Special communication

10.2. Additional information useful for attestation experts:

11. Quality management policy:

11.1. Are the testing laboratory's operating policies and procedures an integral part of the «Quality Manual»?

11.2. Is the person responsible for quality management empowered to identify quality problems and find effective means to solve them?

11.3. Does the «Quality Manual» include procedures to provide for supervision of insufficiently qualified personnel?

11.4. Has a procedure been developed for monitoring quality management functions?

12. Instructions

12.1. Do employees have manuals, instructions, and rules regulating the performance of work?

12.2. Has a system been developed for updating the application of the specified documentation and registering changes?

12.3. Is documentation available for each test operation?

12.4. Are documents and reference data updated?

12.5. Are outdated data, etc., removed from documents in a timely manner?

13. Personnel

13.1. Are levels of professional training, professional skills defined, and are there job descriptions?

13.2. Is training provided to improve and maintain professional skills, taking into account the requirements

for quality?

14. Test equipment and verification of measuring instruments.

14.1. Does the quality management system establish compatibility of the accuracy of the equipment with the tests performed?

14.2. Are all tested equipment and measuring instruments, including the results of certification and verification, registered?

14.3. Are there premises and appropriate conditions for certification, verification, transportation, control, storage and maintenance of all test equipment and measuring instruments?

14.4. Are there documents on the procedures ensuring the certification and verification of all equipment and control standards, including methods, frequency, sealing after calibration, etc.? If none of the above, indicate which certification and verification system is used.

14.5. Can the control standards used for verification be related to national or international measurement standards?

15. Test methods.

15.1. Are the test methods and procedures not specified in technical specifications, standards, etc. certified?

15.2. Do the conditions under which the tests are carried out ensure the accuracy of their performance and recording of the results?

15.3. Is there equipment for testing under the specified environmental conditions?

15.4. Is access to the test site controlled?

15.5. Is there a system in place to identify errors and their causes during testing and to eliminate erroneous results?

16. Transportation and storage

16.1. Are operating and control instructions developed and applied during transportation, storage and return of materials and samples to the customer?

16.2. Are special storage facilities provided to prevent product deterioration?

16.3. Are storage methods, including special environmental conditions, established?

16.4. Have procedures been developed for monitoring stored samples?

17. Availability of classified records management

17.1. Are there conditions for using classified materials, standards, methods and other guidance documents on certification?

17.2. Are there conditions for storing classified items and materials subject to certification?

                        &nb sp;     

Appendix 8

 TEST LABORATORY INSPECTION REPORT

________________________________________________

 (name of testing laboratory)

During the period from & #187; «________ 199_ to » «________ 199_

based on ___________________________________________________________

 (title, number and date of the document on the inspection)

________________________________ commission consisting of:

Chairman of the commission ___________________________________________

 (place of work, position, initials, last name)

Deputy Chairman of the Commission _______________________________

 (place of work, position,

____________________________

 initials, last name)

Members of the Commission __________________________________________________

 (place of work, position, initials, last name)

Secretary of the Commission ______________________________________________

 (place of work, position, initials, last name)

conducted an inspection for the purpose of accreditation of ___________________________

 (name of the tester-

_________________________________________________________________

 laboratory) (name of the enterprise in which

_________________________________________________________________

 the testing laboratory operates)

During the check it was established:

The commission recommends _______________________________________

 (commission's comments and recommendations on

_________________________________________________________________

 eliminating deficiencies and improving the laboratory's work)

_________________________________________________________________

_________________________________________________________________

________________________________________________________________

_________________________________________________________________

________________________________________________________________

________________________________________________________________

_________________________________________________________________

_________________________________________________________________

_________________________________________________________________

_________________________________________________________________

Conclusion: _____________________________________________________

 (recommendations of the commission regarding accreditation

_________________________________________________________________

 of the laboratory and clarification, if necessary, of the scope of accreditation)

Appendices: 1. Regulation on the testing laboratory.

2. Laboratory passport.

Chairman of the commission _______________

 signature

Deputy chairman of the commission _______________

 signature

Commission members _______________

 signature

Secretary of the commission _______________

 Signature